wget-1.18-2.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10263-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z wget-1.18-2.3 on GA media These are all security issues fixed in the wget-1.18-2.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10263 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-2252/ SUSE CVE CVE-2010-2252 page https://www.suse.com/security/cve/CVE-2012-4929/ SUSE CVE CVE-2012-4929 page https://www.suse.com/security/cve/CVE-2014-4877/ SUSE CVE CVE-2014-4877 page https://www.suse.com/security/cve/CVE-2015-7665/ SUSE CVE CVE-2015-7665 page https://www.suse.com/security/cve/CVE-2016-4971/ SUSE CVE CVE-2016-4971 page openSUSE Tumbleweed wget-1.18-2.3 wget-1.18-2.3 as a component of openSUSE Tumbleweed GNU Wget 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory. CVE-2010-2252 openSUSE Tumbleweed:wget-1.18-2.3 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2252.html CVE-2010-2252 https://bugzilla.suse.com/606317 SUSE Bug 606317 The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. CVE-2012-4929 openSUSE Tumbleweed:wget-1.18-2.3 low 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4929.html CVE-2012-4929 https://bugzilla.suse.com/1011293 SUSE Bug 1011293 https://bugzilla.suse.com/779952 SUSE Bug 779952 https://bugzilla.suse.com/793420 SUSE Bug 793420 https://bugzilla.suse.com/803004 SUSE Bug 803004 https://bugzilla.suse.com/847895 SUSE Bug 847895 Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. CVE-2014-4877 openSUSE Tumbleweed:wget-1.18-2.3 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-4877.html CVE-2014-4877 https://bugzilla.suse.com/902709 SUSE Bug 902709 Tails before 1.7 includes the wget program but does not prevent automatic fallback from passive FTP to active FTP, which allows remote FTP servers to discover the Tor client IP address by reading a (1) PORT or (2) EPRT command. NOTE: within wget itself, the automatic fallback is not considered a vulnerability by CVE. CVE-2015-7665 openSUSE Tumbleweed:wget-1.18-2.3 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7665.html CVE-2015-7665 https://bugzilla.suse.com/944858 SUSE Bug 944858 GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. CVE-2016-4971 openSUSE Tumbleweed:wget-1.18-2.3 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4971.html CVE-2016-4971 https://bugzilla.suse.com/1023231 SUSE Bug 1023231 https://bugzilla.suse.com/984060 SUSE Bug 984060